Update dependency homeassistant to v2023.12.3 [SECURITY] #2
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2023.8.0
->==2023.12.3
GitHub Vulnerability Alerts
CVE-2023-41893
Part of the Cure53 security audit of Home Assistant.
The audit team’s analyses confirmed that the
redirect_uri
andclient_id
are alterable when logging in. Consequently, the code parameter utilized to fetch theaccess_token
post-authentication will be sent to the URL specified in the aforementioned parameters.Since an arbitrary URL is permitted and
homeassistant.local
represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’saccess_token
, the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions.To achieve this compromise attempt, the attacker must send a link with a
redirect_uri
that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via the said link, the attacker would obtain code sent to the specified URL inredirect_uri
, which can then be leveraged to fetch anaccess_token
.An attacker could increase the efficacy of this strategy by registering a nearly identical domain to
homeassistant.local
, which at first glance may appear legitimate and thereby obfuscate any malicious intentions.Nonetheless, owing to the requirements for victim interaction and Home Assistant instance exposure to the Internet, this severity rating was consequently downgraded to Low.
CVE-2023-50715
Summary
The login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network.
Details
Starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when:
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fd00::/8, ::ffff:10.0.0.0/104, ::ffff:172.16.0.0/108, ::ffff:192.168.0.0/112
)The rationale behind this is to make the login more user-friendly (see release blog post) and an experience better aligned with other applications that have multiple user-profiles.
However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it.
PoC
Impact
The following CVSS string could be shaped to describe the overall impact of this issue:
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
As seen, the Exploitability metrics are high, and the Impact metrics are low. This is fitting because the problem does not constitute a critical one, but at the same time, it is trivial to exploit. Still, since the mitigation can be so easily implemented in code to eliminate a typical case of information disclosure, it would certainly be worth pursuing.
Release Notes
home-assistant/core (homeassistant)
v2023.12.3
Compare Source
v2023.12.2
Compare Source
v2023.12.1
Compare Source
2023120
.2 (@piitaya - #105299) (frontend docs)to_json
template filter in parsing dict key (@jbouwh - #105327)v2023.12.0
Compare Source
https://www.home-assistant.io/blog/2023/12/06/release-202312/
v2023.11.3
Compare Source
restingHeartRate
is not present (@allenporter - #103872) (fitbit docs)v2023.11.2
Compare Source
sleep
value is a dictionary in Tractive integration (@bieniu - #103138) (tractive docs)None
(@farmio - #103446) (knx docs)2023103
.2 (@bramkragten - #103706) (frontend docs)v2023.11.1
Compare Source
v2023.11.0
Compare Source
https://www.home-assistant.io/blog/2023/11/01/release-202311/
v2023.10.5
Compare Source
v2023.10.4
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.